Hey nostr:npub1gcxzte5zlkncx26j68ez60fzkvtkm9e0vrwdcvsjakxf9mu9qewqlfnj5z noticed in the past few versions of Amethyst all uploads to nostr:npub1nxy4qpqnld6kmpphjykvx2lqwvxmuxluddwjamm4nc29ds3elyzsm5avr7 result in HTTP links instead of HTTPS - bug?
Discussion
Wouldnt that be a privacy issue too?
The links do redirect to HTTPS but it's still a potential security flaw especially if someone's on a public network.
Actually, I say that, but my devices are all set to auto redirect to HTTPS for any page... if they're just returning HTTP by default without a redirect, yes this is a privacy and security risk.
Without a server side redirect or HSTS it is trivial to own anyone who logs into their account on the same network, plus the ISP and your government have a log of the exact images you viewed.
We just use what @nostr.build replies. if it replies with http, it goes in http.
Thanks for confirming that mate 👌
That's why I tagged you both, so this is a nostr:npub1nxy4qpqnld6kmpphjykvx2lqwvxmuxluddwjamm4nc29ds3elyzsm5avr7 bug.
Tbh the Nostr Build TLS setup could do with a lot of improvement and it wouldn't take long.
1. Enable HSTS and enroll in HSTS preloading - that would mitigate security issues from bugs like this but HSTS is disabled for your server/CDN
2. Update TLS config to support up to 1.3, remove support for 1.0 and 1.1
There's other little things too but those two are a big boost alone and would take five minutes if that.
nostr.build is returning http instead of https